After US Allegations Against Kaspersky Lab, UK Responds

The British government has taken a cue from the U.S. government's concern about Kaspersky Lab's anti-virus software. The U.K.'s National Cyber Security Center, which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, now recommends that British government agencies that handle certain types of classified information not use anti-virus software developed by any Russia-based organization.

But in a step that goes beyond the NCSC's advice, banking giant Barclays says it will no longer give its customers free copies of Kaspersky's anti-virus software.

The NCSC, however, has stressed that most organizations should carefully consider their own potential risks before opting to ditch Kaspersky's software. Its advice differs from the United States, where the government first advised against procuring Kaspersky and then completely banned it from government networks in early September (see Kaspersky Software Ordered Removed From US Government Computers).

But the new guidance could further dim Kaspersky Lab's opportunities for future U.K. sales, both in the government and for large contracts, such as with banks. And the NCSC's recommendation represents yet more bad news for Kaspersky Lab, which has strongly refuted allegations that the Russian government may have co-opted its software to serve as a search engine for other governments' secrets.

Tarnished Darling

Kaspersky Lab's anti-virus product is widely regarded as one of the most capable offerings on the market. Led by the gregarious Eugene Kaspersky, a software engineer turned entrepreneur, the company has a research team that has uncovered some of the world's most sophisticated hacking groups, including Equation, which is widely believed to be the U.S. National Security Agency's offensive hacking team.

But the software company's reputation has been tarnished after anonymous U.S. officials suggested that using its software might put users at risk. In October, Israeli intelligence agents reportedly told the U.S. government that they had hacked into Kaspersky Lab's infrastructure and found that Russian hackers were already there, monitoring the company's communications with endpoints.

The Kaspersky Lab saga became more complex after the company said that its consumer anti-virus software had flagged and collected four classified documents and NSA-developed malware from the home computer of an NSA analyst in 2014. The analyst, Nghia Hoang Pho, pleaded guilty to mishandling classified material (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).

Kaspersky has said that it detected malware on the home PC that it thought might be connected with the Equation Group. As with other anti-virus software, Kaspersky Lab's software collected the suspicious files and sent them back to headquarters for analysis.

When researchers realized what had been collected and informed Eugene Kaspersky, he says that he ordered the material to be deleted, the company said last month following an in-depth investigation into the incident. But the U.S. government alleges that the material ended up in the hands of the Russian government after the analyst's computer was further targeted (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).

Recommendation: Not For Secrets

The British government has now reacted to these allegations.

"There's been a lot of speculation about foreign involvement in the U.K. supply chain recently," Ian Levy, technical director of the U.K. National Cyber Security Center, says in a blog post.

In a letter to the permanent secretaries of U.K. government bodies, Ciaran Martin, head of the NCSC, writes that Russian anti-virus products should not be used for certain official-tier organizations or anyone handling information classified as "secret" or higher. But most systems, he says, are not at risk.

"Russia has the intent to target U.K. central government and the U.K.'s critical national infrastructure," Martin writes. "However, the overwhelming majority of U.K. individuals and organizations are not being actively targeted by the Russian state, and are far more likely to be targeted by cybercriminals."

Because of the "highly intrusive" nature of anti-virus software and the fact that most products send data and information back to a vendor, "that's why the country of origin matters," Martin writes.

"It isn't everything, and nor is it a simple matter of flags - there are Western companies who have non-Western contributors to their supply chain, including from hostile states," he writes. "But in the national security space there are some obvious risks around foreign ownership."

Don't Panic

In a separate blog post, Levy - the NCSC's technical director - says that the agency's advice is "a bit complex and nuanced" but stresses that no one should panic. "For example, we really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense," he writes.

Future efforts may also ease any lingering concerns. Martin says that the NCSC is in discussions with Kaspersky Lab that are focused on developing a framework that could be used to verify that U.K. data isn't transferred to the Russian state.

"We will be transparent about the outcome of those discussions with Kaspersky Lab, and we will adjust our guidance if necessary in the light of any conclusions," Martin writes.

In a statement, Kaspersky Lab says it "looks forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab's products and services."

Barclays Bails

Some British users of Kaspersky Lab products, however, have already cut ties with the company. British bank Barclays, for example, has withdrawn an offer to its customers to receive a free copy of Kaspersky Lab's anti-virus software, Reuters reports.

Many banks have deals with anti-virus companies to offer free security software, which reduces the risk of bank-related fraud that starts with malicious software infections.

In response to the Barclays move, Kaspersky Lab says it is "disappointed Barclays has decided to discontinue offering Kaspersky Lab anti-virus to new customers. It's very important to note that the NCSC is not encouraging consumers or businesses against using Kaspersky Lab software."

About the Author

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;